chore(workflow): use image digest

nais · Apr 27, 2023 · 28d33d2 · 28d33d2
1 parent d64ae26
commit 28d33d2
Showing 1 changed file with 11 additions and 17 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -43,6 +43,7 @@ jobs:
     outputs:
       cli-tag: ${{ steps.container-tags.outputs.cli-tag }}
       action-tag: ${{ steps.container-tags.outputs.action-tag }}
+      digest: ${{ steps.docker_build.outputs.digest }}
     needs:
       - set-version
       - test
@@ -110,13 +111,15 @@ jobs:
           echo "PUSH=true" >> $GITHUB_ENV
       - name: Build and push
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # ratchet:docker/build-push-action@v4
+        id: docker_build
         with:
           push: ${{ env.PUSH }}
           tags: ${{ steps.container-tags.outputs.cli-tag }},${{ steps.container-tags.outputs.action-tag }}
           labels: version=${{ needs.set-version.outputs.version }},revision=${{ github.sha }}
           build-args: |
             COSIGN_VERSION=${{ env.COSIGN_VERSION }}
             GRADLE_VERSION=${{ env.GRADLE_VERSION }}
+
       - name: Update major/minor version tag
         if: ${{ github.ref == 'refs/heads/main' }}
         run: "git tag -f ${{ env.VERSION }}\ngit push -f origin ${{ env.VERSION }} \n"
@@ -129,8 +132,7 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ github.ref == 'refs/heads/main' }}
     env:
-      CLI_IMAGE_TAG: "${{ needs.build.outputs.cli-tag }}"
-      ACTION_IMAGE_TAG: "${{ needs.build.outputs.action-tag }}"
+      DIGEST: "${{ needs.build.outputs.digest }}"
     steps:
       - name: Install cosign
         uses: sigstore/cosign-installer@b3413d484cc23cf8778c3d2aa361568d4eb54679 # ratchet:sigstore/cosign-installer@v2.5.1
@@ -149,33 +151,25 @@ jobs:
       - name: Sign Docker image
         run: |
           echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
-          cosign sign --yes --key cosign.key ${{ env.CLI_IMAGE_TAG }}
-          cosign sign --yes --key cosign.key ${{ env.ACTION_IMAGE_TAG }}
+          cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
+          cosign sign --yes --key cosign.key ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: Verify and attach attestation
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
         run: |
           echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
-          cosign verify --key cosign.pub ${{ env.CLI_IMAGE_TAG }}
-
-          syft attest -o spdx-json ${{ env.CLI_IMAGE_TAG }} > sbom-cli.json
-          cosign attach attestation --attestation sbom-cli.json ${{ env.CLI_IMAGE_TAG }}
-          cosign verify-attestation --type spdxjson --key cosign.pub ${{ env.CLI_IMAGE_TAG }} > cosignverify-cli.json
-
-          cosign verify --key cosign.pub ${{ env.ACTION_IMAGE_TAG }}
-          syft attest -o spdx-json ${{ env.ACTION_IMAGE_TAG }} > sbom-action.json
-          cosign attach attestation --attestation sbom-action.json ${{ env.ACTION_IMAGE_TAG }}
-          cosign verify-attestation --type spdxjson --key cosign.pub ${{ env.ACTION_IMAGE_TAG }} > cosignverify-action.json
+          cosign verify --key cosign.pub ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
+          syft attest -o spdx-json ${{ env.IMAGE_NAME }}@{{ env.DIGEST }} > sbom-cli.json
+          cosign attach attestation --attestation sbom-cli.json ${{ env.IMAGE_NAME }}@{{ env.DIGEST }}
+          cosign verify-attestation --type spdxjson --key cosign.pub ${{ env.IMAGE_NAME }}@{{ env.DIGEST }} > cosignverify.json
       - name: Upload provenance
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # ratchet:actions/upload-artifact@v3
         with:
           path: |
             ./sbom-cli.json
-            ./sbom-action.json
-            ./cosignverify-cli.json
-            ./cosignverify-action.json
+            ./cosignverify.json
       - name: Clean up
         if: ${{ always() }}
         run: |